Unauthenticated OS Command Injection in Linksys E-Series Routers

This repository is a small standalone Python exploit for unauthenticated command injection/RCE against vulnerable Linksys router CGI endpoints, primarily tmUnblock.cgi, with hndUnblock.cgi noted as an alternative. The repository contains only two files: a README describing the vulnerability, affected models, and usage, and a single executable script, exploit.py, which is the main entry point. The exploit works by crafting raw HTTP POST requests to the vulnerable CGI endpoint and injecting shell commands through the ttcp_ip form parameter. It percent-encodes the POST body, includes a Basic Authorization header with arbitrary credentials, and sends the request directly over a TCP socket to the target web service on port 80. The script first removes any previous payload from /tmp/c0d3z, then uploads an embedded base64-encoded MIPS little-endian ELF bind shell in 20-byte chunks using repeated echo -en commands with octal byte escapes. After staging, it chmods the file to make it executable, runs it via another injected command, waits briefly, and then connects to the bind shell on TCP port 4444. Capabilities include unauthenticated remote code execution, payload staging to the target filesystem, permission modification, payload execution, and an interactive post-exploitation shell over the bind socket. The exploit is operational rather than a simple proof of concept because it contains a complete hardcoded payload and an interactive shell handler. No external C2 infrastructure is used; all communication is direct between the attacker and the target router. The main fingerprintable artifacts are the vulnerable CGI paths, the temporary payload file /tmp/c0d3z, the default target IP 192.168.8.100, and the bind shell listener on port 4444.